CVE-2026-27810

NameCVE-2026-27810
Descriptioncalibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
calibre (PTS)bullseye5.12.0+dfsg-1+deb11u2vulnerable
bullseye (security)5.12.0+dfsg-1+deb11u3vulnerable
bookworm6.13.0+repack-2+deb12u5vulnerable
trixie8.5.0+ds-1+deb13u1vulnerable
forky8.16.2+ds+~0.10.5-3vulnerable
sid9.4.0+ds+~0.10.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
calibresource(unstable)9.4.0+ds+~0.10.5-1

Notes

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw
Search for package or bug name: Reporting problems